11/2/2022 Disk Scan (OR) Low Level 


Enumeration 


(FAT & NTFS File System) 
AND 


Zone.ldentifier 


AUNG ZAW MYO 
DIGITAL FORENSICS MYANMAR 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Disk Scan (OR) Low Level Enumeration (FAT File System) 


eo 


Disk Scan Or Low Level Enumeration (G10950205a802900 Recovery (Q1005 


N . LN Qo CoN Cc Cc 1% 
OPE94)P Forensics [GicoS03egqn60299 ga Ead3(G100503 s2006(gdol ODOOIl 


c e.0 Cc ° . Qo {e) 
Recovery cpd0G002605a09¢¢ Recovery Application coSs saqcag: Storage oD 


c c 


Low Level Enumeration (Q{c9Soclos051 6§0090305g0 39096096033903209 
L L L 6 


eo Cre CoN eG: je] eo Qg0c 
Mdsasand[§:e099 Delete 0009 File co20) [gooudador0 @GDSColoil 


FAT16, FAT32 File System sa02M3eBoE Root Directory Folder 

c s lomo) (e) ig Qo é 
G2Q|AD009%0) Entry GoQ4)64) D|se2C saqcsao: Low Level Enumeration 
(G\e9Sclos05 NTFS File System aoe Master File Table oogo (GicoSclos051 
39033(qjc02%03 File System sac3o5 Delete cpd02003 2005g050) Entry 
5660203{Goz:dlor05iFile System 60203 (Gore06 File System 03:99 Basic 


Information 603{g0} Attributes sogdloélov051 
Attributes Go202 - 

File Created - Modified - Accessed Date/Time 

File Name , File Size , Attributes 

File Deleted Or Exiting Status 


FAT File System cXeplopiasiaie Delete (195000203 File Folders 60203 (OxE5) 


38 (8: File System a0e6§ @a30092000208030]02051 


Entry 99 (OxE5) §io2060208 Low Level Enumeration (G1c0S03a0q/§ oo 
goog (Gs @ja3o00203 File Folder 60203(Ga00los051 Recover (Or) Forensics 
Analysis (gjc958390203 «jad000:05 File, Folder o3{Ga0[(Q:03eg005e9 a7§0d 


C t jae) cx 899900, 9 5(3: S(gol c 
oncep COQS2IOQOICYN3200P D9398)/0CsOP COO eSOD/QOIOOOI! 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Reserved 
Area FAT Area Data Area 


FAT File System 


a X-Ways Forensics - [Drive G:] 
“ File Edit Search Navigation View Tools Specialist Options Window Help 


Rhapgeret |e Bo | AMAT YS | Heo |ssoamleae | RKHAY | oS 
Drive G: Drive G: | 
7 y Namev YY Description VType "Size ¥ Created Y Modified « VY Record changed J Attr. Ist sector 
_1 J System Volume Information 2 existing 88 B 28-10-22 08:50:41 | 28-10-22 08:50:42 SH 8,200 
1.) (Root directory) existing 1.0 GB 8,192 
i i g existini pdf 9.7 MB 28-10-22 08:54:36 | 24-11-20 09:40:40 A 9,024 
392 KB/28-10-22 08:51:14 L]01-01-22 04:50:50 A 22: 
virtual (for examination purposes) ? ‘ 
Oo ree space (net) virtual (for examination purposes) 1.0 GB 
Oo | FAT 2 virtual (for examination purposes) 1.0 MB 6,153 
Oo ad FAT1 virtual (for examination purposes) 1.0 MB 4114 
_| _3Boot sector virtual (for examination purposes) 2.0 MB i) 
Example File 
4D 41 43 54 49 4D 7E 31] 44 4F 43 20 00 5B 67 46 | ¥ Shortentry (MACTIM-1.D00) 064 
5c 55 5c 55 00 00 59 26 «21 54 06 00 87 1E 06 00 File name 064 MACTIM~1 
24 52 45 4359 43 4c 45 42 49 4B 16 00 67 67 46 ——— or ___ BOC 
5c 55 5c 55 00 00 68 46 5c 55 68 00 00 00 00 00) |” —_ 
43 2E 00 70 00 64 00 66 00 00 00 OF 00 7D FF FF — 
iadgen 
FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF =a 
02 47 00 75 00 69 00 64 00 65 00 OF 00 7D SF 00 Volume 
45 00 6E 00 67 00 6c 00 69 00 00 00 73 00 68 00 Directory 
01 4D 00 44 00 2D 00 4E «00 45 00 OF 00 7D 58 00 hice 
54 00 5F 00 55 00 73 00 65 00 00 00 72 00 SF 00 
4D 44 2D 4B 45 58 7E 31 50 44 46 20 00 1E D2 46 Created time refinement in 10ms (0-199) 
5c 55 5¢ 55 00 00 14 4D 78 51 6A 00 68 ES 9A 00 Created date/time 10/26/2022 8:51 AM 
BS 4E 44 49 41 20 20 20 20 20 20 10 00 07 E1 46 soca —— 
5c 55 5¢ 55 00 00 25 7D 4B 55 19 0A 00 00 00 00 ee Q 
Modified date/time 1/1/2022 4:50 AM 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
First cluster (low word) 0906 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 = 
ile size 092. = 401,031 


00 00 00 00 00 00 00 00 =©00 00 00 00 00 00 00 00 


FAT Directory Entries 


2 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Directory Entries a2¢o09 Data Structure ordqfs(G5(3: File/Folder 
o3€ésa90203 GiolosSi Directory Entries oD 32 Bytes Size Golose5i 29.99 File 
Attributes, File orpsgiegod Starting Cluster, File Date & Time o30]§clozadi 
Directory Entries ao File Metadata & File Name sa0205a06q [a3:036869 
g2dloédloza5ii Storage 03:99 §103 File/ Folder 033390209 Directory 
Entries Go202 FAT File System goange Root Directory (Cluster No 2 ) 
@o§lor051 Directory Entries 99 oasaséeo Attributes GOQqSLS a6q):[03209 
Attributes 60203900 Operation System 8 Recovery or Forensics Tools 


Go2a200096020]0051 


Cluster Chains 


Data 60203 Storage col go Sector ( Sector 393960%(§H03 Cluster) 
st oc ¢ je) | g ¢ fe) ie 
GOQGO! GD 99628095200924)010205II 9905 Cluster CoQ Data 6024)6§0205II 
@959099 Cluster Go2026009 Data @§}60909650005I 2005 Data o Cluster 
< iy iy (a (owe) fe _90 (eo) . ‘ 
WDOIECOIAD ASS 9D0H5E009093B0O gorVd800200) File Allocation Table 
(FAT) go 238ss0p5sco0%§los05i 


eo fe) c 


7 . . Cc c 
Directory Entries 99 File 099005 Cluster 99 B02COd0580009 DEUS 


(Goos:dloza5i1 FAT Entry o> Zero [gdcaqé Cluster go Data eGolons 
Unallocated [gSesolosadi Zero @[gdcgan:adqe Cluster 99 Data §103390209 
Allocated (gs eg 0lon05 Allocated [gdeaqé File Size aq Cluster 
c c c c jee) c Cc c 
WDOIECOIAIASS$ = DOHGCODAIZe0Og O05 ~—s- Cluster = Bd2Ude00905g9 


2, SO B tesiculosts 
282000588020. 603{(GO ODOOIl 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Cluster Chain Example 


File 1 4, Size gag Cluster 10 meso: Cluster 13 90398020009 
g0{gddlos05i File 1 ABlaqosqJeorusaBeE Directory Entries @9603(Gooo:03 
Starting Cluster oaaq6[a3 030309) Cluster - 10 me6g00r058802003 
GO},9|92 (gdclos05 File -1 Size saq File-1 4, Data od Cluster - 11 goge[ajoe: 
008[8:098(goleadi Cluster 11 o05 Data oo Cluster - 12 goe[a;oe: 
006[8 2098 (goleadi Cluster - 12 Mesos Data od Cluster -13 goge[agoc: 
998(goloro51 Cluster 13 99 End Of File (EOF) Signature §ieg.03390209 File-1 
4, Data o> Cluster-13 908920908 92{gd0los051 alos Cluster Chain 
(19d orde8esTcloro5i Free Cluster 8 Storage Disk Fragement [g503 


saeol eor95(8: Cluster Number GOQOD 3905 3903E8 [gdaqe9 (gdclecSi 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Drive G: Drive G: | 

and subdirectories 

JY Namev Y Description VType ¥ Size ¥ Created ¥ Modified J Record changed J Attr, fst sector 
a [| weSettings.dat existing dat 12.B 28-10-22 08:50:41 | 28-10-22 08:50:42 A 8,208 
_] © MD-NEXT_User_Guide_English.pdf existing pdf 9.7 MB 28-10-22 08:54:36 | 24-11-20 09:40:40 L A 9,024 
JS MACTimeChangedox == easing «docx 392KB 28-10-22 OB5I:14 01-01-22 045050 A 8H 
| }IndererVolumeGuid existing 76 B 28-10-22 08:50:46 | 28-10-22 08:50:48 A 8,216 
a Ee Idle space virtual (for examination purposes) 2 

a | Free space (net) virtual (for examination purposes) 1,0 GB 

| a FAT2 virtual (for examination purposes) 1.0 MB 6,153 
| wl FAT1 virtual (for examination purposes) 1,0 MB 4114) 


_] Boot sector virtual (for examination purposes) 2.0 MB 0 


MAC Time Changed Docx File o> Cluster-6 go000e (8: Cluster 103 99 


39082 2005 o20n003 (gE 9 (gdoloza5i 
i’ 28 2 i 9 


Cluster - 6 Start 


Cluster - 5 End 


OF FE d 


Yyvy¥ yyy 


0002106368 
0002106384 


0002106400 

0002106416 

0002106432 

0002106448 

0002106464 

0002106480 

0002106496 : = $ 
0002106512 = = , ( 
0002106528 ) * - 2 
0002106544 ~ ‘ / rs) 
0002106560 fy 2 3 4 
0002106576 5 eS) s 
0002106592 s : z < 
0002106608 = > 2 e 
0002106624 A B c¢c oD 
0002106640 E=lh~ Gre 
ooo02106656 I 5 i) Coe S 
0002106672 M N OO P 
0002106688 oe ia Seer 
0002106704 aL ae 
0002106720 . eer [ \ 
0002106736 ] a : 
0002106752 a 

— 


MO 
a al 
1 A 


0002106768 


i 


EOF ( Cluster 103) 


Docx File - File Allocation Table (FAT) - FAT Entry 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


1» Nameyv Y Description ; Type y Size ¥ Created 
| _System Volume Information existing 88 B 28-10-22 08:50:41 
_|__) (Root directory) existing 1.0 GB 
| = MD-NEXT_User_Guide_English.pdf existing pdf 9.7 MB 28-10-22 08:54:36 
— ~ MAC Time Change.docx renamed/moved, data not necessarily intact docx 392 KB 28-10-22 08:51:14 
J = Idle space virtual (for examination purposes) 2 
a = Free space (net) virtual (for examination purposes) 1.0 GB 
_ e FAT 2 virtual (for examination purposes) 1.0 MB 
LJ 3 FAT 1 virtual (for examination purposes) 1.0 MB 
=e Volume | ‘| File =) Preview A Details | [E{| Gallery [23] Calendar [== Legend; ia Sync ~~ | >= 
Offset 0 123 4 5 6 7 8 9 A B C D €E F} ¥V_|{_ ANSI ASCII A 


00400080 ES5 67 00 65 00 2E 00 64 OO 6F 00 OF 00 E3 63 00 age.doa 4c 
00400090 78 00 00 00 FF FF FF FF FF FF 00 00 FF FF FF FF x) ¥iyiyy = voyy 
004000A0 ES 4D 00 41 00 43 00 20 00 54 00 OF 00 E3 69 00 AMAC TT  4i 
004000B0 6D 00 65 00 20 00 43 00 68 00 00 00 6100 6E 00 me Ch an 
004000C0 ES 41 43 54 49 4D 7E 31 44 4F 43 20 00 5B 67 46 AACTIM~1DCC [oF 


004000D0 5C 55 5C 55 00 00 59 26 21 54 |06 O00] |87 1E 06 00/ \U\U Yée!T # 


Deleted File Example 


B9BIUS9O Directory Entries, Cluster Changed , File Allocation Table 


(FAT) sae[aqo€20308 (Gl [G1 FAT File System ore6s05 Delete (G1005080303 


File, Folder or) (OxE5) 3803 Signature 8{Ga00023(9:0]3u 399Q|DCOD809 MAC 


Time Change.docx 3803 File 8 Recovery (GS cop5[g19Se2[gdclosa5i 


MAC Time Change.docx File «, Directory Entries aves File @, Size § File a0 


2005 Cluster megoorecdadoroagpeg{o3090le05i 

Box saepsseqp§(goos:0) 6g005a03 Bytes 4 ad:03 Decimal e{goézoleo5 
Deleted File Size 

871E0600 (061E87) = 401031 Bytes ( Deleted File Sizes) 

Box saepsseqp§(gooss0) 6g005803 bytes 2 a5308 Decimal e(goéscleadi 
First Cluster 

0600 (06) = 6 ( Deleted File Start From Cluster Number 6) 


saga 6 Directory Entries arg @]a300020) File @, File Size § File 


~‘ 


c . foXe) =) 
®ODCO) First Cluster BHOlBi 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


SEONOISIOEDES§, File Allocation Table (FAT) , FAT Entry 92 9800 
(ja30002 0} @~3000209 File q, Cluster egqoc02@> aa[goz File cogeeo05 


je) . iy {e) {e) Cg ¢ 
§)S$200003 (Overwrite) [gdesa0c02%8802008(0909dle05i 


_| _3FAT2” virtual (for examination purposes) 1.0 MB 
v virtual (for examination purposes) 1.0 MB 

_] _3 Boot sector virtual (for examination purposes) 2.0 MB 
“Volume [|] File [= Preview 5 Details | [H{z| Gallery [#8] Calendar, [/== Legend | : (9 | Sync | 
Offset o 123 45 67 8 9 AB C DE F| Yj. ANSI AS 


00301200 FS FF FF OF FF FF FF FF FF FF FF OF FF FF FF OF ey yuyuiey vu 
00301210 FF FF FF OF FF FF FF OF 7 00 00 00 08 00 00 00 HH HUH 
00301220 | 09 00 00 00 OA 00 GO 00 OB OO 00 OO OC OO GO 900 

00301230 | 90D 00 00 00 OE 00 60 00 OF 00 00 OO 10 O09 OO 900 

00301240 |11 00 00 00 12 00 00 00 13 00 00 OO 14 09 GO 900 

00301250 |15 00 00 00 16 00 00 00 17 00 OO OO 18 900 OO 900 

00301260 |19 00 00 06 1A 00 60 00 1B 00 00 OO iC 09 GO 900 

00301270 |1D 00 00 OO 1E 00 00 00 1F 00 00 OO 20 00 GO 900 


00301280 21 00 00 00 22 00 00 00 23 00 00 00 24 00 600 00! + $ 
00301290 25 00 00 00 26 900 00 00 27 900 00 00 28 00 00 00 $& & ” ( 
003012A0 29 00 00 00 2A 00 00 00 2B 00 00 00 2C 00 G00 00 ) * + ’ 
003012B0 2D 00 00 00 2E 00 00 00 2F 00 00 00 30 00 00 00) - . / 0 
003012C0 31 00 00 00 32 900 00 00 33 90 00 00 34 00 00 00 1 2 3 4 
003012D0 35 00 00 00 36 90 00 00 37 900 00 00 38 00 00 00 5 6 7 8 
003012E0 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00° g : ? < 
003012F0 3D 00 00 00 3E 00 00 00 3F 00 00 00 40 00 00 00 | = > E 4 é 
00301300 41 00 00 00 42 900 00 00 43 900 00 00 44 00 600 OO A B c D 
00301310 45 00 00 00 46 900 00 00 47 00 00 00 48 00 00 00 EE F G H 
00301320 49 00 00 00 4A 00 00 00 4B 00 00 00 4C 00 00 00 Tf J K L 
00301330 4D 00 00 00 4E 00 00 00 4F 900 00 00 50 00 600 00 M N ° P 
00301340 51 00 00 00 52 00 00 00 53 00 00 00 54 00 00 00; @Q R 5 x 
00301350 55 00 00 00 56 00 00 00 57 00 00 00 58 900 00 00 U BA W x 
00301360 59 00 00 00 5A 900 00 00 5B 00 00 00 5C 00 00 00 ¥ Zz [ % 
00301370 5D 00 00 00 SE 00 00 00 SF 00 00 00 60 00 00 00 j = = i 
00301380 61 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00 a b c da 
00301390 65 00 00 00 66 00 00 00 67 00 O00 OO FF FF FF OF e ft g yVyVyV 


File Allocation Table (FAT Entry) 


Cluster Number 6 92 0 [gSeso3s00205 Cluster 6 99 ga(gos Data cop 


. Cc ‘ c c e090 c< . fe) 
Overwrite o[gdcooz0lons Overwrite o[gde00203390309 gja50ba305 File o3 


Or 


Recovery Or Forensics Purpose 390309 (QS copdqur8éclor051 Data 


rc 


[GS cop5qu203e99996009 Data §o> Cluster co203 Cluster Chain sac3ézqo 


ag ls (GScopSquze2lGSvloooSi 


ton] 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


FAT File System Recovery 


DEOHORESS FAT File System 026908 Recovery opdecdsabge Directory 
Entry gogesop0c0excqsogssssaayOo[gbo> File onpg5qope8qo08 [gop 
First Cluster egnasegzocBi File Size egposegzoeG 

‘ ¢ C pp: CO_N [o) o0c¢ 
First Cluster eqpodagos9gc File O2256j)026$9I0) @IISCEOI20II 

2 2 ¢ ee . ¢ ¢ {e) 
File Size eqoasagosgqce Cluster capevl go File QDI2QE0INI3200E$ JP 


C_O iy ¢ 
AQIAODOIQISOOII egoasagor0eadi 
I 


File Allocation Table (FAT Entry) 99 File on259egop Cluster Ga2¢9 3/998 File 
Data 60309 Overwrite [gdoazos (Cluster Chain) egnaseqoc8 ESE 


[OFsvloo ey 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Disk Scan (OR) Low Level Enumeration (NTFS File System) 


NTFS File System sae[aqoess, Master File Table (MFT) sae[agoc: 


-So 


eCDFP File System 9269 39093[9:(GSdloo05iI 389026009 NTFS File System 99 
§iegO3 EYjOdqea020} Text File o8607.q90{gddloou05i Flag oo 1 (gdes 
03390205 File a> Storage cdgo0003§ §eg80(gdclor05i1 Sequence Number 
05 1 (gdegcloou5i Delete Text File.txt File ¢, MFT Entry Record Number 
Mc6orp 52 [gddlos05i Attribute $80 Data 03{0993(Q:c029 File a muses 
§P92 Jeg crcsa8or003(a903dle05iI OY §od Attributes gae[aqoe: 6020 File 


System Analysis gac[aqoeze0 copseqsooo: [Gs [gdor0e[0}0¢ @603[Geor9 


lone 
> a id HLL 2 
) viber_image_2022-10-28 08-58-33-518,jpg File Type jpg 26.5KB 11/1/2022 12:54PM _ 11/1/2022 12:54PM 
Offset 00 01 02 03 04 05 06 07 08 09 OA OB Oc OD OE OF ASCII 
| 1SSOCFBO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00) ...ceesseseeeees 
1550cFCO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00) ....sceeseeeeees 
1550cFDO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00) .....sseeeeeeues 
' 1SSOCFEO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
' 1SSOCFFO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 
-1550D000 46 49 4c 45//30 00 
| 1550D010 98 01 00 00||00 04 00 00 
15500020 | F000 00 00 00 00 Of Flas) 
| 1550D030 9B 00) 10 00 00 00 60 00 00 00 


Sequence Number Flag 


NTFS File Before Delete On Storage 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Templates 


NIFSMFTFileRecorc VW FH iF OY AA868:000 


Name Offset 
Signature (must be 'FILE’) 000 

Offset to the update sequence 004 = 0x30 
Update sequence size in words 006 
008 


$LogFile Sequence Number (L... 2,145,411 
Sequence number 010 =| 1 
Hard link count o12~=«1 
Offset to the first attribute 014 = 0x38 
v Flags 016 «860100 : a 
aaa ts 
Directory 21 0 
Real size of the FILE record 018 408 
Allocated size of the FILE record 01iCc 1,024 
Base FILE record 020 +O 
Next attribute ID 028 86 
<u recor 
Update sequence number 030 = =0B00 
Update sequence array 032 | 00000000 
> Attribute $10 038 
> Attribute $30 098 
> Attribute $40 120 
<— soma 
End marker 190 = OxFFFFFFFF 


NTFS File Record 


81 01 48 45 20 41 £0 46 [80 00 00 00)[48 00 00 09) 
00 00 00 00 00 00 00 00 
1 00 00 00 00 00 00 0 00|[00 00/00 00 00 00 
1E 17 00 00 00 00 00 00 
1E 17 00 00 00 00 00 00} [21% 02—%8B O5I—0 00 00 00 


[EP PP FP FP 82 79 47 11 00 00 00 00 00 00 00 00 


oa 
a 
=) 


Data Run In SDATA 


099 Colour Box G02 §gUS0028020000 Data Run List (gdclos05 6§0090255¢9 


. fe) Cc Cc C 
Run list oBordaagié:Gooo:dlos05i 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Data Run Header 
End Of Data Run 


(2+1=3) 
3 Bytes | 
cm —_—_> 


Cluster Count _f —_ Cluster 


Data Run Detail 
je) c il i il linge) °c -- [ 
Data Run 39909099 NTFS File System ogc File 09954)9095 First Cluster 
Location , File Size saeco] eor05(§3 G§qPOPO0NIN099 Cluster 366) 390309 
Beo3(Q{gE:gdolooo5u ordM0508 Storage 99 Fragement [gdeso05 Bee 
Data Run o> ord90>95:0(95 2 or 3 or 4 aa0688 Fragement [go> 
saecl eor95[8:(Gaoeo [gdclos05 


Data Run Header 88029096099 Cluster Count 390309 Bytes esq 


1 c ¢ . iy ¢ iy e_o Qo 
290560090509005I First Cluster 20203 Bytes 9905600909 G9005800200) 


IL L 
Gor 8cloo051 


395900896 Data Run Header Size o> 3 Bytes eS: First Cluster 390309 2 


Bytes go (821 Cluster Count 390309 1 bytes egqpocleadil 
Cluster Count 


glade Delete Text File.txt oo Cluster Count = 2 (Storage eo] 2 Cluster ¢§q 
J 20Q0le05 


First Cluster 


Delete Text File.txt oo First Cluster WEES (8B05) = (058B) = 1419 (Cluster 
Number 1419 meso: File @gqpordleo5 


Bytes Per Cluster = 4096 


i 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Delete Text File.txt &, Size oo 5.8 KB (5939.2 Bytes) (g0}s002051 Cluster 


6§qo 2 6§E02E92(GSolo>051 4096 x 2 = 8192 Bytes 


Y Attribute $80 


O y Namev 


_|_]System Volume Information 
_|_JDelete Folder ( NTFS Example) 


Jam (0 
_|_ | (Root directory) 
|) extend 


Y $DATA 


Attribute type 


Length (including header) 


Non-resident flag 
Name length 
Name offset 
Flags 

Attribute ID 

First VCN 

Last VCN 

Data runs offset 
Compression unit size 
Padding 
Allocated size 
Real size 


Y Datarun 
Size 
Cluster count 


First cluster 


Data Run List 


Y Description 
existing 
existing 
existing 
existing 
existing 


_] |B viber image_2022-10-28 08-58-33-518,.. existing 


pet Delete Text File.tet 


“1 )elete File Exmple PPT. pptx 


existing, already viewed 
_| =| cisco_whitepaper_govt_cyber_security_... existing 
E existing, already viewed 
existing 
existing, already viewed 
existing 


/ Type / Size ¥ Created 
888 01-11-22 08:30:17 + 01-11-22 08:30:22 
1.3 KB 01-11-22 10:20:28 + 01-11-22 10:20:51 


Delete Text File.txt 


Cluster 1,419 
Cluster 1,420 (1822) 


0B 


) Modified « 


N1-11-22 08:30:17 
ne 08:58:49 
1-11-22 10:23:15 
19-09-22 13:41:15 
N1-11-22 08:30:17 


)1-11-22 08:30:17 
p1-11-22 08:30:17 


4,0 KB 01-11-22 08:30:17 + 01-11-22 08:30:17 


Cluster List In X-Way Forensics 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Sodasdle003 saconsa 6639036:6 (g 9 
° i i~° eg 


° ° 


Master File Table SMFT B[gaS5[o3 
SclooeSu 


El $MFT 2 
=} $MFT Record Nr: 52, SeqNr: 1 
—. .\WDelete Text File.txt 
Delete Text File.txt 
ban Parent Directory MFT#: 5, SeqNr: 5 
- Header 
| i. [@xD@@@] $MFT Record ID: 9001000000000034 
-- [@xD@@@] Record Offset: 53248 


Zz 0x21028B05 0x21 3 0x02 2  0x058B 1419 1,419 1,420 


Total Clusters: 2 
Allocated Size: 8,192 bytes 


Master File Table (SMFT) 


309300199 Delete Text File.txt or) giasosas(Q[gdcloro51 File aB@jas 


c803(Q:eg005 ag00 File $30 MFT Entry Number 52 08(g8[a395 cSa503 


L ° 


/ 


[e) 


sales File Allocation Status ao 0 [gSeg03s00305 File BQO 002202090) 
602,999 [gddloxc5i1 Sequence Number arc5 01 > 02 asefgoézagoz03 


390209 399 MFT Entry o3028[A36qadcoo:02003 602,992[gdolor051 


o/1/2/3/4/5|6/7/8|/9/aleiclolelr ASCII 
ooo | 46 {49 [4c [45 {30 [00 [03 [00/99 [DE | 20 [00/00 [00 [00 00] FILEO..... ..... 
> 001 02900 | 01 |00 | 38 | 00 88 | 01 | 00 |00 | 00 | 04 | 00 |00 as eee ees 
002 |00/00|00 00 {00/00 |00 /00/07/00 00 {00 {34/00/00 (00, 2st; 4 
003 [00/00 |00 {00 {00 /00 | 00 {00 [401/60 [G0 [001/60 [00 {00 {oof wk. 
004 |00 00 {00 [00 {00/00 {00 [00 |48 /00 {00 {00/18/00 /00 foo 2... H....... a 
00s |7e {AE |B0 | 10 [as |ED [pe {01 [03 |c2 [AB |57|\BA/ED|De|o1] ~.......... W 


Master File Table (After Deleted) 


13 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


0005812224 
0005812240 
0005812256 
0005812272 
0005812288 
0005812304 
0095812320 


: 2E 2E 2E 25 2E 2E 2E 25 
2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 25 
2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 25 
2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 
2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 
2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 25 

2E 6D GA OD oD i 


Hello .ecccccccic 


Deleted File (X-Ways) 


14 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


NTFS File System Recovery 


(y3002809 File of Recovery opdecssbeée Master File Table Record 
oBfogasoleasn MFT Entry oF) File Allocation 99 O [geese qya5ooo8 
on2{@do3320205 Data Attribute OBfoga50leasu Data Attribute aves First 


Cluste List , Cluster Count ons Bs99E File op Recovery yicp6e2 [geolooa5u 
MFT Entry 92 Record egnasegeusi First Cluster Number egonsegoud 


i ¢ * Cc See © Se 
Cluster Count eypaegeud Data oo Overwrite [yaposea5a6qée Recovery 


io) c 
icp68 eqpodapeo220ll 


ns) 


DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Zone.|Identifier 


Zone.idnetifier 8 Windows XP Service Pack 2 , Windows Server 2003 
Service Pack 1 m¢6 o0r€[Gzc09593EsSdlosa5i1 Internet oo¢§ Download 
0905 File 60203 Safe [gde[go Window o¢66 odG902868390202(gd0lor051 
IE Browser 990966 Download 0905 File @§ 009190 Zone.idnetifier Stream 
dloédloxoSi 3993001996099 Microsoft Edge, Google Chrome, Mozilla Firefox, 
Opera, Chromium 05 Browser Go2mes Download a3 File e§209)92 
Zone.idnetifier dloéclosuSi Default URL Security Zones co2§o3aecdar9 
Zone.idnetifier a2 Zone 3 [gd03 Internet Zone godloédloza5ii Zone 3 


8802008 SMFT 902 MFT Browser §96036¢9 602,8E0lo0051 
Default URL Security Zones 


Local Intranet Zone 

. Trusted Sites Zone 

. Internet Zone 

. Restricted Sites Zone 


. Local Machine Zone 


Nn WN 


@> Internet Properties ? x 


General Security Privacy Content Connections Programs Advanced 


Select a zone to view or change security settings. 


@ «= Y 9 


Internet Local intranet Trustedsites Restricted 
sites 


Internet 


Sites 
wi This zone is for Internet websites, = 
except those listed in trusted and 
restricted zones. 


URL Security Zones Via Control Panel 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


399OODGODD NTFS Storage o3 dir /r Command 8{a32303aa9199 [géco3,6 oy) 


Zone.idnetifier 603(gdolos05 3aG002B0303 more command 8 [o3a98¢ 


2 


olosoS1 


=|-= SMFT.copyO [@x@6] Number of fix up byte pairs: 3. A A 
41-5 [Orphan] @x@8] $LogFile Sequence Number (LSN): : 
=} Q [Root] . [@x1@] $MFT Record Sequence Nr: 1 
~ SAttrDef @x12] Hard Link Count: 1 
~~ $BadClus @x14] Offset to 1st Attribute: 56 
~~ $Bitmap +|-[@x16] Allocation Status: @x@001 
~ $Boot @x18] Logical Size of MFT record: 768 
Gg SExtend @x1C] Physical Size of MFT record: 102¢ 
SLogFile @x2@] Base Record: @ 
~ SMFT @x26] Base Record SeqNr: @ 
~~ SMFTMirr x28] Next Available Attribute ID: 4 
SRECYCLE.BIN @x2A] $MFT Record Nr: 53 
$Secure @x3@] Update sequence Number: 10 v 
~~ $UpCase @x3@] Update sequence/FixUp Value: @x® 
= supCas¢ MFT: @x32] FixUp #1: @x3D33 P/ 9} A) 8) C|D/ElF = as 
~ Svolume x34] FixUp #2: @x9000 019 & | B2 | 20 | 00 | 00 | 00 | 00 | 00 N 
~~ APKPure_v3.18.38_apkpure.com.apk @x1FE] Check Value #1: @x@A@@ O1A 2 | 0C | 02 |CA| 06 | 00 | 00 |00 N 
+-Ty azm @x3FE] Check Value #2: @x@A@@ 00 H 
i cisco_whitepaper_govt_cyber_security_¢ =) Attributes > 8 ze ee 
~~ Delete File Exmple PPT.pptx +/- [0x38] ID: @@@00, Type: (@16) 10000000 
c Delete Folder ( NTFS Example) +)-[@x@98] ID: @0002, Type: (848) 30000000 I.d.e.n.t.i.f 


a DFM +). [@x168] ID: 90001, Type: (128) 80000000 OIE 3 |5A/6F |6E |65 |54|72/61| i.e r [ZoneTra 
System Volume Information =|- [@x1B@] ID: 0003, Type: (128) 80000000 or A ler [ee [65/49/64 [OA100| nsfer]..Zoneld 
viber_image_2022-10-28_08-58-33-518. [@x1B4] CARESS Length: ea o20 5/72/55 |72 \6c [3D | 6a |74 foteeracteteus 

[@x1B8] Attribute Non-Resident Status = = 

[@x1B9] Length of Stream Name: 15 021 7 | 2E |63 |69 | 73 |63 |6F |2E| tps: //www.cisco 
[@x1BA] Offset to Stream Name: 24 022 2D | 2F | 67 |6C | 6F |62 |61 6 | comicidam/global 
[@x1BC] Attribute Flags: (@x®000) 023 8 | 73 |65|74|73|2F |70|64| /en_sgiassets/pd 


(@x1BE] Attribute ID: 3 o2s F177 les l69 | 74 |65 | 70 |61 
[@x1C@] Resident Content Size: 27@ 5F 73 ‘ b 
[@x1C4] Resident Content Offset: 56 ae 
are 026 # |69 |67 |69 | 74/61 |6C |5F| ecurity_digital 
[@x1C8] Stream Name .Iden dig ~ 
48 
7 


fsicisco_whitepa 


[@x1E8] Resident Content 027 — | 70 | 64/66 |0D | 0A 6F/20170504.pdf Ho 
+)Record Slack v 028 4 | 70 | 73 |3A|2F |2F |77|77| stUrl=https://ww v 


MFT Browser §¢[a30303a001 Data Attribute cdeo Zone.idnetifier o3609, 


9 92{gdolor051 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


Oo APKPure_v3. 18.38_apkpure.com.apk 2022-11-02 03:44:00.8713165 2022-11-02 03:42:52.8142485 2022-11-02 03:44:00.8713165 2022-11-02 03:44:00.8763032 
Oo sco_whitepaper_govt_cyber_security_digital_20170504.pdf . 2022-11-01 04: 15:28.9715604 2022-09-29 07:11:15.9875805 2022-11-01 04:15:28.9715604 2022-11-01 04:15:28.9745530 
Oo Delete File Exmple PPT.pptx : 2022-11-01 03:53:15, 1044582 2022-11-01 03:53:15, 1044582 2022-11-01 03:53:15, 1044582 
Oo viber_image_2022-10-28_08-58-33-518.jpg . 2022-11-01 06:24:41.2358690 2022-10-28 02:28:49.5464467 2022-11-01 06:24:41.2358690 2022-11-01 06:24:41.2368666 


0 0 2 3 4 05 6 18 O9 OA OB OC OE F a Overview Details 
46 49 4C 45 30 00 03 00 88 B7 20 00 00 00 00 00‘ FILEO Record Modified On: 2022-09-29 07: 14:30, 1661296 
01 00 01 00 38 00 01 00 00 03 00 00 00 04 00 00 8 Last Accessed On: 2022-11-01 04:15:28,9745530 
00 00 00 00 00 00 00 00 04 00 00 00 35 00 00 00 5 ee eee 
0A 00 3D 33 00 00 00 00 10 00 00 00 6O 00 00 00 =3 Type: FileName, Attribute 0x2, Size: 0xDO, Content size: 0xB4, Name size: 0x0, Content offset: 0x18, Resident: True 
00 00 00 00 00 00 00 00 48 00 00 00 18 0000 00. H 
94 AF 57 93 A8 ED D8 01 DD DC 38 AA D2 D3 D8 01 «=. ~W i @ YU8? 000. File name: cisco_whitepaper_govt_cyber_security_digital_20170504.pdf (Length: 0x39) 
70 28 F6 1D D3 D3 D8 01 7A 24 58 93 AB ED D8 01 p(s, COA zSX. “1B Flags: Archive, Name Type: Posix, Reparse Value: 0x0, Physical Size: 0x20C000, Logical Size: 0x0 
20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : Parent Mft Record: Entry/seq: OxS-0x5 
00 00 00 00 OF 01 00 00 00 00 00 00 00 00 00 00 Created On: 2022-11-01 04: 9715604 
00 00 00 00 00 00 00 00 30 00 00 00 DO 00 00 00 0...2. Content Modified On: 2022-11-01 04: 15:28.9715604 
00 00 00 00 00 00 02 00 B4 00 00 00 18 00 01 00 : Record Modified On: 2022-11-01 04: 15:28,9715604 
05 00 00 00 00 00 05 00 94 AF 57 93 AS ED DS 01 “wore Last Accessed On: 2022-11-01 04:15:28.9715604 
94 AF 57 93 01 94 AF 57 93 ABS ED D801 .-WIG.-WIe 
94 AF 57 93 01 00 CO 2000 0000 0000 .-wiG.A. ==== DATA 
00 00 00 00 00 20 00 00 00 00 00 0000. ae Type: Data, Attribute : 0x1, Size: 0x48, Content size: Ox, Name size: 0x0, Content offset: 0x0, Resident: False 
39 00 63 00 00 63 00 6F 00 5F 007700 9.c.i.s.c.0._.w 
68 00 69 00 00 70 00 61 00 70 00 65 00 hii.t.e.p.ape es 
72 00 5F 00 00 76 00 74 00 5F 00 63 00 =+r._.g.o.v.t._.¢ Starting Virtual Cluster #: 0x0, Ending Virtual Cluster #: 0x208, Allocated Size: 0x20C000, Actual Size: 0x20824€, Initialized Size: 0x20624E 
79 00 62 00 00 5F 00 73 00 65 00 6300 y.b.e.r._.s.e.€ 
75 00 72 00 00 79 00 5F 00 64 00 69 00) sur.i.t.y._.di Daas reas y . 
67 00 69 00 00 6C 00 5F 00 32 00 30 00 g.i.t.a.1 2.0 (Guster offset: Ox6CA, # dusters: 0x20C 
31 00 37 00 00 7000 (1.7.0.5.0.4...p 
64 00 66 00 00 00 0000 «d.f H =**= DATA ===> 
01 00 00 00 00 00 0000. a Type: Data, Attribute #: 0x3, Size: 0x148, Content size: 0x10E, Name size: OxF, Name: Zone.Identifier, Content offset: 0x38, Resident: True 
0B 02 00 00 00 000000. @ 
0 CO 20 00 00 00 0000 «A N a 
0 = hi = Data: SB-SA-6F-6E-65-54-72-6 1-6E-73-66-65-72-5D-0D-DA-SA-6F-6E-65-49-64-3D-33-0D-0A-52-65-66-65-72-72-65-72-55-72-6C-3D-68-74-74- 
4E B2 20 00 00 00 00 00 N "..E 6F-6D-2F -63-2F-64-6 1-6D-2F -67-6C-6F -62-6 1-6C-2F-65-6E-SF-73-67-2F 6 1-73-73-65-74-73-2F-20-64-66-73-2F -63-69-73-63-6F -SF-77-68-6! 
80 00 00 00 48 01 00 00 00 OF 18 00 00 00 03 00 H 65-72-SF-73-65-63-75-72-69-74-79-SF-64-69-67-69-74-61-6C-SF-32-30-31-37-30-35-30-34-2E-70-64-66-0D -DA-48-6F-73-74-55-72-6C-30-68- 
OE 01 00 00 38 00 00 00 5A 00 GF 00 GE 00 65 00 ae eee 2E-63-6F -6D-2F-63-2F 64-61-6D-2F-67-6C-6F 62-6 1-6C-2F-65-6E-SF-73-67-2F 6 1-73-73-65-74-73-2F-70-64-66-73-F-63-69-73-63-6F-SF-774 
OF del Aaodi EG BE aid eo oI he ta Ona ete ce ek 79-62-65-72-SF-73-65-63-75-72-69-74-79-SF-64-69-67-69-74-61-6C-SF-32-30-31-37-30-35-30-34-2E-70-64-66-00-0A 

72 ji.e.r [ZoneTra 

A nsfer]..Zoneld 

8 ReferrerUrl =ht 

3 tps: //wmm, cisco 
7 con/ c/dany gl obal Unicode: #5 eS SRR FT A OS eb ee ea im SA Rie Re tet Re ees 
F 6 7 6 73 65 64 /ensg/assets/pd | | SBI MORECANE OR) e288 his sea eS ieiein Ain TERE IS iS IPR pee ome CHEMIE O 


fe] 


SMFT o3 MFT Explorer &g¢[a3a303a0<l[géq9 Zone.idnetifier gooloéo> 


ZonelD, ReferrerURL, HostUrl 03(gdoloz05i1 


Zone.idnetifier © 26g Download 0905 Artifacts aco] eorp0(@: 


c , c c QeQC J c 
CBBIONIO! BBQ|QISACONICOD §)/§)SCO!OIO0II 


AppZoneld 

HostlpAddress 

HostUrl 
LastWriterPackageFamilyName 
ReferrerUrl 

Zoneld 


VV VV V WV 


©869028390205 NetAnalysis o3 Tools Go208 saqjoSordar 
°' 08 y i 08 i OR it 


sae[gqgqscos Tools cozgeog eap{a3:dloru5i Open Source [gd03> MFT 
Browser , MFT Explorer , Timeline Explorer, MFTEcmd 0380d¢<03 8éclor051 
0G9020)399109 NTFS Storage ooe§ SMFT 3 02(8: odea0286dlor05iI 


NetAnalysis a2c5 SMFT a306¢9020200[gd0lo2051I 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


CSV output will be sav 


MFTEcmd 8 SMFT on) CSV e[goEsor0[gddlooa5i 


43 1 TRUE 50 1.\Delete FDFM.crt — .crt 1306 1 FALSE FALSE FALSE FALSE TRUE 
Find and Replace ? x E 
Find = Replace E 
E 
Find what: “Ie 
Options >> 
Find All Close 


Sheet Name Cell Value 


P0221102040946_MFTECmd_SMFT_Output.csv 20221102040946_MFTECmd_SMFT_Out SAGS1 ZoneldContents 
P0221102040946_MFTECmd_SMFT_Output.csv 20221102040946_MFTECmd_SMFT_Out SGS40 APkPure_v3.18,38_apkpure.com.apk:Zone.|dentifier 


P0221102040946_MFTECmd_SMFT_Output.csv 20221102040946_MFTECmd_SMFT_Out SAGS40 = (Zone. |dentifier data is non-resident) 
P0221102040946_MFTECmd_SMFT_Output.csv 20221102040946_MFTECmd_SMFT_Out $GS44 cisco_whitepaper_govt_cyber_security_digital_20170504.pdf:Zone.|dentifier 
P0221102040946_MFTECmd_SMFT_Output.csv 20221102040946_MFTECmd_SMFT_Out SAGS44_— [ZoneTransfer]Zoneld=3ReferrerUrl=https://www.cisco.com/c/dam/global/en_sq 


< > 
5 cell(s) found 


CSV File Mesos goegséclooo5i 


APKPure_v3.1 
44 ; TRUE 5 5 .8.38_apkpure. .apk 12283503, 1 FALSE TRUE | FALSE FALSE FALSE += TRUE Archive = Posix 4400.9 


com.apk 
APKPure_Vv3.1 


8.38_apkpure. 
com.apk:Zone. 


Idantifinr 


50 1 TRUE 5 5. Delete Folder ( NTFS Exan None Posix 50:28.0 
51 1 TRUE ri S|. Delete File Exn .pptx 0 EY FALSE FALSE FALSE FALSE FALSE FALSE Archive Posix 53:15.1 
cisco_whitepa 
per_govt_cybe 
53 1 TRUE 5 5 . rsecurity_digi .pdf 2142798 1 FALSE TRUE FALSE FALSE FALSE TRUE = Archive = Posix =—-15:29.0 
tal_20170504.p 
df 
cisco_whitepa 
per_govt_cybe 
r_security_digi 
tal_20170504.0 


Identifier 603 i FALSE FALSE TRUE FALSE FALSE TRUE = Archive = Posix —44:00.9 


° 
3 
= 
mi 
ES 
> 
ze 
& 
m 
= 
3 
GB 
a 
= 
3 
= 
GB 
A 
_ 
> 
C 
& 
mm 
= 
> 
& 
m 


53 1 TRUE 5 5 .Identifier 270 1 FALSE FALSE TRUE FALSE FALSE TRUE Archive — Posix 15:29.0 


iS ESSE I SS ES 


Master File cd¢9 [gEq Zone.idnetifier co3(gdclor051 
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DISK SCAN (NTFS & FAT ) (ZONE.IDENTIFIER) 


[Bi Timeine Explorer v2.0.0.1 = (al 34 
file Tools Tabs View Help : : 
| 7022102040946 _NFTECmd_$VFT_Output.csv 20221102043024 MFTECmd_$VFT.Output.csv 
Drag a column header here to group by that column feel ind 
File Name |Extension Is Directory Has Ads [Is Ads |File Size |Created@x10 
rT # 0 » || ol - 
p APKPure_v3.18.38_apkpure. com. apk: Ong. Ident... .Identifier U UJ 603 2022-11-02 03:44:00 
| 


¢ 


Timeline Explorer od¢g0 SMFT File odc0p9{§3 Filter cpd{aza38¢0lor051 


Good Luck 
Aung Zaw Myo 


www.forensicsmyanmar.com 
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